pam.ntlm.auth.domains

This configuration parameter specifies the list of domains that should use NTLM authentication instead of Kerberos authentication. This parameter enables you to authenticate users behind a firewall when the Kerberos ports are blocked, but a trust relationship exists between domains inside and outside the firewall. When you set this parameter, the local domain controller outside of the firewall passes its authentication requests through the transitive trust chain for authentication inside of the firewall.

The parameter value must be one or more fully-qualified Active Directory domain names. The Active Directory domain names must be mapped to NTLM domain names, either automatically if the firewall does not prevent the mapping from being discovered, or manually by modifying the contents of the /etc/centrifydc/domains.conf file if the firewall prevents the mapping from automatically being discovered.

If firewall constraints prevent the automatic discovery of Active Directory to NTLM domain mapping, you can manually configure how Active Directory domain names map to NTLM domains by editing the /etc/centrifydc/domains.conf file to consist of a list of colon-separated values in the form of:

AD_DomainName:NTLM_DomainName

For example, the domains.conf file should consist of entries similar to the following:

AJAX.ORG:AJAX

FIREFLY.COM:FIREFLY

HR1.FIREFLY.COM:HR1

You can then use the adclient.ntlm.domains parameter using the file: keyword to specify the location of this file. For example:

adclient.ntlm.domains: file:/etc/centrifydc/domains.conf

If you don’t want to define the Active Directory to NTLM mapping in a separate file, you can set the adclient.ntlm.domains parameter to map domain names using the format AD_DomainName:NTLM_DomainName. For example:

adclient.ntlm.domains: AJAX.ORG:AJAX FIREFLY.COM:FIREFLY

After you have configured the mapping, you can list the Active Directory domain names for this parameter. For example, to specify that the Active Directory domains AJAX.ORG and FIREFLY.COM, which are outside of the firewall with a one-way trust to the forest inside the firewall, should use NTLM authentication, you could set the parameter like this:

pam.ntlm.auth.domains: AJAX.ORG, FIREFLY.COM

For more information about manually defining the mapping of Active Directory domains to NTLM domains, see adclient.ntlm.domains.

Alternatively, you can set the group policy Computer Configuration > Delinea Settings > DirectControl Settings > Pam Settings > Specify NTLM authentication domains.